Saturday, September 27, 2014

I'm not sure when it happened, but I noticed that Provident Funding now supports mint.com integrations! They also seem to have changed at least a couple of the other issues I complained about here. Yay!

Original Post

As a software developer for web applications, I take a keen interest in Internet Security. One of the more interesting aspects of this field is that there are some practices intended to make a site more secure, which don't always actually improve security. At best, these practices are an unnecessary burden to the user. At middling, they'll give the user and the provider a false sense of security, and make them less likely to notice other, more important issues. And at worst, they'll actually cause a user to compromise his security more by creating workarounds to byzantine policies.

A classic example is password strength rules. For those with enough training in information technology, this simple comic is enough to explain why the password strength rules used by most websites have trained most people to come up with passwords that are hard to remember, but easy to hack.

And in fact, the whole concept of a password is fundamentally flawed: every time you log in, you have to enter your password. That means that any time you use a computer that might have had a keylogger installed, or any time you enter it while someone might have been looking at your fingers, or a video camera might have caught your fingerstrokes, your password is potentially compromised. The very act of entering a password represents a security vulnerability in and of itself. We just haven't figured out a better solution that's convenient enough to work for most people.

I think the standard minimum password length for most websites I've seen recently has been 8 characters, but they insist on you mixing numbers, symbols, and upper- and lower-case letters. The problem is that most people choose ways of adding these elements that are dead simple for a hacker and his tools to guess. So they hardly add any difficulty at all if someone is trying to guess your password. At the same time, 8 characters isn't really enough to prevent the types of attacks that these rules are trying to prevent. This topic is worth an entire blog post of its own.

But as bad as that is, there are occasionally even worse cases. For example:

Until a couple of years ago, American Express's website limited peoples' passwords to 8 letters. You couldn't create a longer, stronger password even if you wanted to!

I once asked the company handling HR for an employer to send me my username, because they'd used an auto-assigned username that I could never seem to remember. A kind lady there sent me an email with both my username and my password in it. And this was the company handling my paychecks! This was at least three strikes against that company all in one go:

It implies that the company stores passwords in a way that it's possible to retrieve them.

It means that the people working for this company have the ability to see these passwords (not just have them automatically sent to users, but actually see them.)

Email is not secure, and should never be used to send passwords (except possibly a temporary, random password that you're required to change within a time limit.)

When people managing a web application are making decisions about their security policies, they need to think very carefully about them. Even policies that seem like they'll make things more secure might encourage worse security practices. For example, if you make users change their password every few months, they're most likely going to do one of the following:

Stop using a decently unique password that they would have remembered through muscle memory, and switch to using an easy-to-guess pattern, so they don't have to keep trying to think up a new one every three months. Variants of spring/summer/fall/winter are very common in this case.

Keep using the same basic password, but change it in a predictable way. (e.g. add 1 to a number at the end every time they have to change it)

Put their passwords on a sticky note next to their monitor, at least for the first week or two. (Many people do this anyway, but they'll be far more tempted if they're constantly being forced to come up with new passwords.)

Any time you introduce a procedure that gives the illusion of added security, without actually causing things to be more secure, you create a false sense of security, which can be dangerous. I'd like to highlight some of these false security procedures that are practiced by Provident Funding, a loan servicer:

They stopped allowing users to connect their Mint.com accounts to their Provident Funding accounts. They claim that this is to improve the security of their customers because they don't have any control over what happens to that information once it enters Mint.com.

This might be a valid concern for their customers, but not for the company itself. After all, the company doesn't have power over what users do with their own information that they view on their website either. There's nothing stopping those users from downloading all their statements and sending them to Nigerian con artists, if that's what they choose to do with their own data.

They used to have this connection to Mint.com. Are they trying to say that they were not secure before?

Mint.com is owned by Intuit, who also provides such products as Quicken and TurboTax. Do you really think that their security practices are going to be anything less than impeccable?

Most users don't actively manage their loan accounts from month to month. In other words, if they could see that they're payments are on track each month using a read-only service like Mint.com, they'd almost never have to actually log in to Provident's website. By forcing users to log in more often, Provident provides that many more opportunities for bad-guys to capture your password. If a bad-guy gets access to Mint.com credentials, they can see what a user spends their money on, but if they get access to Provident credentials, they can do more useful things like change billing addresses and who-knows-what-else.

Provident forces users to change their password every six months. As mentioned earlier, the practical value of this practice is questionable. But it truly becomes a false security practice when they allow users to reset their password to the same value as before. The site acts like it's got a security procedure, but all it really does is force a user to enter their password a bunch of times. Remember what I said earlier about the very act of entering your password? Yeah.

When changing their password, the user is required to enter their username and password again. I understand requiring the password, but the username is prominently displayed at the top of the page, so asking people to enter it again is completely useless from a security perspective.

Provident's password requirements are pretty close to the same as most websites, as mentioned above, except that the symbol character must be one of the following: !@#$-_. So rather than making the password harder to guess, this actually makes the hacker's job easier: he no longer has to worry that every character might be any symbol--he can now assume that one (and for 99% of users it'll be only one) of the password's characters is one of only seven possible values.

Now, I appreciate that in some areas, they do adhere to some real best-practices. They don't send your statements to you in an email, for example. But when it comes to false security practices like those above, I have to wonder:

Do they know that these practices are useless, but feel it's important to give users a sense of security just to keep up appearances? If so, that's really annoying and a little dangerous.

Do they actually think that these practices have some value? If so, they're inept when it comes to real security, and we have to wonder what true vulnerabilities they left open while they followed these red herrings.

Are some of these "security practices" signals that they have some really bad practices underlying their entire site, which they've had to work around? For example, are they failing to encode parameters, so they disallow funny characters in your password because they're afraid of little Bobby Tables? Are they blocking Mint.com because they have no confidence in their technical ability to keep an integration endpoint up and running? If so, we have to wonder whether they've got the technical competence to keep our data safe from real security threats.

I brought up many of these issues in an email directly to Provident months ago, and didn't get a very satisfactory response. Since there appears to be no sign of policy changes at this point, I'm hoping a little public shaming will get the attention of someone who cares. Feel free to share with people who are interested in this sort of thing.

Tuesday, September 09, 2014

The other day, on Radio West, I heard part of an interview with Nina Teicholz, author of The Big Fat Surprise: Why Butter, Meat and Cheese Belong in a Healthy Diet. For a while, I was fascinated as she recounted various ways that the medical and scientific communities had latched onto ideas about fat and cholesterol, ignoring evidence contrary to those ideas.

The Big Fat Surprise

Teicholz's claim is basically that trying to reduce fat in our diet has had the opposite effect from what was intended. This concept is unsurprising to me. When trying too hard to avoid any one kind of food in our diet, it's easy to replace that thing with even less-wholesome alternatives. I remember a man in a birthing class trying to figure out a good diet for his wife, who was a "vegetarian." It turns out that while she didn't eat meat, she didn't eat any vegetables either, which basically left nothing but processed carb-rich foods on their menu. A recent study showed that a low-carb diet is actually twice as effective as a low-fat diet when trying to lose weight, adding to a mounting body of evidence that we need to stop making fat the bogeyman it has been for some time. In general, it's best to eat natural, whole foods, with as little processing as possible: Butter is probably more healthy than margarine. Whole milk is probably more nutritious than skim milk or soy milk. Many of the things Teicholz was saying gibed with other things I'd learned. And she came across as very smart, knowledgeable, and convincing.

Pretty soon, though, the things she said stopped "ringing true." I'm not sure exactly when it was. It might have been when she started bashing on plant-based foods. "The evidence behind 'mostly plants,'" she said, "turns out to be quite thin." I may not be a nutritionist, but I'm passably familiar with nutrition science and plant-based diets in particular, and I can say with some certainty that there's a sizable body of evidence showing the benefits of eating fruits and vegetables.

Then a nagging suspicion started forming in the back of my mind as she shared her experiences with trying to set up interviews with some researchers:

I would get on the phone with researchers, and they would say, "If you're taking the Gary Taubes line, I won't even talk to you."

In my experience, when otherwise logical, well-educated people are completely unwilling to talk to someone, there's a reason behind it that's a little stronger than mere institutional bias. How did this "Gary Taubes" earn such a bad reputation in the scientific community? Did he interview researchers, and then take their statements out of context? Did he present the researchers' findings as supporting evidence for claims that they didn't actually support? Is he guilty of pseudoscience--the scientific community's equivalent of blasphemy? And if Teicholz is "taking the Gary Taubes line," then is she doing the same thing?

I remembered that some people will say what other people want to hear, because they know that other people will pay money to hear it. This is just a secular version of what the Book of Mormon calls "priestcraft." One website I stumbled upon claimed to have proof that all the health experts were wrong, and the best diet actually consists mostly of bacon and beer (no joke!), and if you send a check to such-and-such address, they'd send you more information about it. Was Teicholz's book just another incarnation of the "eat drink, and be merry, and everything will be okay" story that charlatans have been selling since time immemorial?

Just another Fad Diet Book

So when I got home, I did a simple Google search: "big fat surprise critical review." And lo, there it was: a hugetwopart article on a blog titled The Science of Nutrition, which tears The Big Fat Surprise to shreds. In summary:

What makes this particular book interesting is not so much that it is bad (which it is) or that it is extravagantly biased (which it also is). No, what really fascinates me about this book is that the author excessively and shamelessly lifts other people’s material. Most notably Teicholz lifts from another popular low-carb book called Good Calories, Bad Calories (GCBC) by Gary Taubes.

You probably don't have time to read through the whole thing--I didn't. But please go ahead and read a page or two, and then scroll to the bottom to see just how much content there is. You'll get a general idea of just how Nina Teicholz went about misinterpreting evidence, failing to find original sources, taking statements out of context, and so on. As the author concludes:

The issues I bring up in this review are too substantial and too numerous to be ignored. If you were to remove all of the instances where Teicholz deeply distorts a study or publication, and you were to remove all conclusions that she draws from the distortions you would be left with nothing but a pamphlet.

Every few years, it seems, a new book is published telling people about some simple change they can make that will help them lose weight and feel healthier. And every time a bunch of people rave about it, until they forget about it, and end up the same weight they were before. And the only people who really benefited were the author and publisher of the book. Meanwhile, scientific study after study confirms that the only way to consistently lose weight and keep it off is to do what experts have been saying all along: eat a variety of whole, fresh fruits and vegetables, limit how much food you eat, and get plenty of sleep and exercise. Anyone who tells you otherwise is selling something.

Some words of wisdom

Mormons believe in a code of health representing the "will of God in the temporal salvation of all saints in the last days." Revealed in 1833 to the prophet Joseph Smith, the Lord's pronouncement began:

In consequence of evils and designs which do and will exist in the hearts of conspiring men in the last days, I have warned you, and forewarn you, by giving unto you this word of wisdom by revelation

The Lord warned against the use of alcohol, tobacco, and stimulants. It emphasized a diet rich in grains and a variety of fresh fruits and vegetables, even encouraging abstinence from animal meat except when necessary.

When I became a member of the LDS church, I decided to follow this counsel more fully than most Mormons do--for about six years I was a vegetarian. I definitely experienced the blessings associated with this scripture:

18 And all saints who remember to keep and do these sayings, walking in obedience to the commandments, shall receive health in their navel and marrow to their bones; 19 And shall find wisdom and great treasures of knowledge, even hidden treasures; 20 And shall run and not be weary, and shall walk and not faint.

I'm still very fit, despite sitting at a computer way more than I should. But during those years after my baptism I was more healthy than at any other time in my life, and there were several times when I was amazed at how well I could "run and not be weary."

Since 1833, modern prophets have clarified, expanded on, and re-emphasized portions of this Word of Wisdom. For example, the prohibition of tobacco and alcohol has been extended to include illegal substances that didn't exist in Joseph Smith's time, and obedience to the Word of Wisdom is now a requirement to be worthy to enter the Lord's temples. We are also encouraged to use our own understanding to help keep our bodies healthy--for example, many Mormons avoid all forms of caffeine, rather than just coffee and tea.

At the same time, science has increasingly found the basic dietary guidelines from the original revelation to be good, sound advice. When I hear advice that directly contradicts counsel given by the Lord through His prophets, I'm going to choose the Lord's way. In the end, I think the Lord's wisdom will always be found to trump the knowledge of man.